CVE-2025-29312
Published: 24 March 2025
Description
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-29312 is a vulnerability in ONOS version 2.7.0, an open-source SDN controller. The issue, classified under CWE-670 (Always-Incorrect Control Flow Implementation), enables attackers to trigger unexpected behavior within a device connected to a legacy switch. This occurs by changing the link type from indirect to direct, potentially disrupting normal network operations. The vulnerability received a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical severity due to high impacts on integrity and availability with no confidentiality impact.
Remote attackers require no privileges, user interaction, or special conditions beyond network access to exploit this vulnerability, making it highly accessible with low attack complexity. Successful exploitation allows attackers to alter link configurations in the SDN environment, leading to unexpected behavior in connected devices on legacy switches. This can result in significant integrity violations, such as incorrect data routing or state changes, and availability disruptions, potentially causing service outages or misconfigurations in the controlled network.
References for CVE-2025-29312 point to a GitHub Gist at https://gist.github.com/Saber-Berserker/4e54c2aa70abab2b133ce2c2b7e91249, which provides additional details on the issue. No specific patch or mitigation guidance is detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables remote unauth alteration of SDN link configurations, facilitating network service outages (T1498) and incorrect data routing/state changes (T1565.002).